Leveraging technology for trust: A blockchain-based Aadhaar?

While the decision of the nine-judge bench of the Supreme Court on the Right to Privacy gives much cause for celebration, it also merits a pause for reflection, specifically regarding the ramifications for Aadhar. Sounding the death knell for the Unique Identification program may be altogether premature as the court has culled out a careful caveat (presumably) in Aadhar’s favour. However, it has balanced this position by entrusting the Government with the responsibility of securing an individual’s information. So, although Aadhar will not be done away with, it will most certainly have to meet the data protection stipulations set out in the judgment.

The grievance with Aadhar is primarily one of trust. Those rallying against the program cite security concerns with the program’s biometric requirements and its centralised identity database. The Government, for its part, has done little to inspire confidence in Aadhar and assuage these apprehensions. And while a data protection law will mitigate some of these issues, it would hardly help rebuild the social capital the Government needs to reduce friction on the matter. In a country with a population that is largely distrustful of technology, generating goodwill on this front is imperative for the success of the panoply of digitally-centric Government initiatives currently in place. The Government has to be more proactive in this stead and look at trust-building avenues beyond legislation.

Technology has long been tapped to bridge gaps between policy and practical realities, especially in emerging economies like India. This can be evinced by the proliferation of technology services like cab aggregators and e-commerce that help overcome the traditional market failures that emerging economies suffer from, like inadequate infrastructure and market isolation. Similarly, in the case of Aadhar, a mix of technology and policy are required to bolster trust in the system. A possible solution, then, could lie in leveraging technologies like blockchains, that already have trust incorporated into their architecture.

The blockchain is a type of distributed ledger technology that first gained prominence as the technology underpinning Bitcoin. Bitcoin created a way for two strangers to transact over an untrusted medium like the internet safely and securely without the intervention of a trusted third-party like a bank.

A blockchain is a log of a series of transactions maintained by a network of trusted nodes. When a transaction takes place, it is verified by the nodal network using complex mathematics. Transaction information is converted into a string of arbitrary numbers through a process called hashing. Hashing essentially involves distilling any information into a 64-digit code using the SHA256 algorithm. Any amount of information, even the text of an entire book, can be used to generate this 64-digit number, which acts as a digital signature. If you were to change a single letter of that book, it would create an altogether different digital signature. However, the same combination of characters will produce the same signature every time. Thus, hashing can be used to verify a set of data without actually storing the data it is being used to check.

The nodal consensus mechanism combined with the cryptographic hashing system make blockchains difficult to hack or alter. An individual attempting to change information on a particular block, for instance, would have to necessarily alter the entire chain of blocks, of which that block is a part, to do so. This is an insurmountable challenge for most for two reasons. First, he/she would need an immense amount of computing power to do so, more than the entire network to be precise. Second, his/her activity would be spotted by the network and flagged immediately. Hacks that have taken place have mainly happened because the network was using an open-source code.

The blockchain can, thus, track anything that has value in the digital realm. This is significant since it allows users to see (to a large extent) where and how their information is being used.

Thus, its usage has proliferated across many different industries including the banking, shipping, and even the Media and Entertainment. Lately, there’s been a fair amount of buzz around its potential to serve as digital identity database. Specifically, it is being used by start-ups to guard against digital identity theft and fraud. It is also being used by Microsoft to create an ID system for refugees who do not have any documentation to prove who they are.

In the Right to Privacy judgment, Justice Chandrachud gives an exhaustive account of the complications of data protection in the digital age. While some of these issues are brought about by characteristics that are inherent to the nature of information, others concern the nature of user experience on the internet. With regard to information, he states that information is nonrivalrous which means that multiple individuals can use it or access it at the same time. Further, he points out that a lot of the data that is available is inconspicuous, which makes it hard to identify when privacy has indeed been invaded. Moreover, he states that it is “recombinant” which means that information can be resynthesized to create more information. Additionally, he points out that individuals, through the course of their online activities, volunteer more information about themselves than they may be aware of.The judgment concludes that data protection regulation, then, must do three key things.

First, it must safeguard matters where there is a “reasonable expectation of privacy” such as personal medical reports. Second, it must go beyond the personal privacy and also protect individual autonomy. Third, it must also ensure that there is no discrimination in terms of race, political leanings, faith, mental or physical health, or sexual preference when data is collected.

What can be gleaned from these conditions is that an individual’s personal data must be taken with his consent and that this must be done in a way that is transparent. The Government has responded to this challenge with a proposal for a comprehensive data protection bill, a draft of which slated to be ready sometime in December.

As it currently stands, Aadhar does not adequately safeguard personal information and therefore fails to meet the conditions set down in the Right to Privacy judgment. A report by the Indian Institute of Technology, Delhi revealed that the current Aadhar system is open to attack both from external as well as internal sources as it stores information on a centralized database. If the database is compromised in any way, either by an internal leak or an external hack, the information on it can be used for authentication. The report also argues that biometric information is not a great security measure as it can easily be extracted from the public domain such as a fingerprint which can be lifted from anything someone touches. Linking Aadhar to bank accounts, PAN numbers, and phones, then, exposes an individual’s entire existence to a substantial amount of risk.

A blockchain-based Aadhar would help the database match the data protection stipulations outlined in the Right to Privacy judgment. It would allow for information to be collected and held transparently, with the consent of the individual whose information it is. Additionally, it would virtually do away with the concerns about storing biometric data in a centralized database. A blockchain based Aadhar identity system, then, would allow the Government to meet its purported goals for the Aadhar without compromising the security of individual’s information. Though a blockchain-based Aadhar has been suggested before, concerns about operationalizing a scheme of this magnitude have not been adequately brought out.

First, given the immense cost and scale of the Aadhar project, would it be economically feasible to change Aadhar’s technical architecture this late in the game? Second, as blockchains are a complex and energy-intensive technology to deploy, does UIDAI have the bandwidth for a system like this? Third, there may be issues with technology compatibility, and it might be altogether impossible to integrate blockchains with the current Aadhar database. Fourth, it might be difficult to onboard individuals and get them to trust the technology, given the unfortunate publicity blockchains has received for its connections with the nefarious Silk Road network. Fifth, in the case of private blockchains, where all the nodes know one another, there lies a significant risk of nodal collusion.

These are questions that must be answered before looking seriously to blockchains to solve the issues with Aadhar. However, with this in mind, it is also imperative for the Government to go beyond the bill of legislative acts if it wants to bolster confidence in the Aadhar program and realise its vision of a truly digital India.